Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-01.txt
John Levine <johnl@taugh.com> Thu, 16 February 2023 22:05 UTC
Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03290C16B5B6 for <dnsop@ietfa.amsl.com>; Thu, 16 Feb 2023 14:05:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.148
X-Spam-Level:
X-Spam-Status: No, score=-4.148 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="f+6juhFL"; dkim=pass (2048-bit key) header.d=taugh.com header.b="WYfDd3Ze"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FKVuPX_OM5S6 for <dnsop@ietfa.amsl.com>; Thu, 16 Feb 2023 14:05:15 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEADEC16B5C0 for <dnsop@ietf.org>; Thu, 16 Feb 2023 14:05:14 -0800 (PST)
Received: (qmail 4264 invoked from network); 16 Feb 2023 22:05:13 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=10a5.63eea899.k2302; bh=kAPs4MRbis/7DrzvS0s/K9LFdl2BOaKXTGgw2dCsmD4=; b=f+6juhFLi/qG5m1VdjyAZ+NROxp1fe+ZuQPLfhCsrqrZ30jypYUtK9XRa+Ptfptp0kf2RaaXF/i2tGIELNH3eJUPEGAEfM/LuJ2JYnBkd/7QByFyA8Hj4bWpgjeoJahZO6ta++TEFLn1iSvDUQgAZQ0rEJjkVVzEAEV61B/sHqBD8eoXBXewARI83KNiXmVZVRl3bjOMrw3LKdPGCxY9hHqKAQl4uOwqWf/dS7hSLEinfdvoOpYhICXHwTmVrxKy1iGr2ohx+8bQBTyjHFm/s4cnOpN7t7nGwAPtQnkLOEd1j2AmnIHFpMMxw0zMU9AWrgevNWTfArzo4qOs+740Yw==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=10a5.63eea899.k2302; bh=kAPs4MRbis/7DrzvS0s/K9LFdl2BOaKXTGgw2dCsmD4=; b=WYfDd3ZeVxT4ZxAFb6dAUpJwh6ecqYGKEmlASA/crQieCuNLnLs7zOHbyicOEiUmDjYndffHKbr0eFv2xiTYWMBJmLOxLpgAQ7xDPtmZVCSz8gAT4hmNTU744BwbIb0ElvR5YF7udiIqVGDekbk7HH3itPesfCkXTtqGzkf+MQQCdgFtifEWjBctR7HGXT9VTPPPCIF9k9JJcvK7eQu60czqDzzzTuLy/L63NcCLlEA85ot/k3Zg/BS0b8MI/NYcUUzqRtxhO2DKN2ChFJqaUZ4pv96vboKOY0M3bY3i6Zv7AdGgKLNVjroBnBnu/NwbH4naMdjEmuHkWwn4NYvbpg==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 16 Feb 2023 22:05:12 -0000
Received: by ary.qy (Postfix, from userid 501) id 180EB9985F54; Thu, 16 Feb 2023 17:05:11 -0500 (EST)
Date: Thu, 16 Feb 2023 17:05:11 -0500
Message-Id: <20230216220512.180EB9985F54@ary.qy>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
Cc: shivankaulsahib@gmail.com
In-Reply-To: <CAG3f7Mi6WTNoHsVVZkjHgp0i-VDL-rEcEU8xhSiSAtm45EfHPA@mail.gmail.com>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/n98peDFBiVEkbed0hYHp7quTKqw>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2023 22:05:20 -0000
It appears that Shivan Kaul Sahib <shivankaulsahib@gmail.com> said: >-=-=-=-=-=- > >Hi folks, we (finally) published a new version of the domain verification >techniques draft, now as intended-BCP. We've had some feedback from >providers but would love for folks to review, especially people who would >actually use it. While I think it would be good to publish some best practices in this area, this draft still seems scattered and makes some assertions that seem to me to be somewhere between unsupported and mistaken. I think we agree that the goal is there are two parties, call them owner and verifier, and the verifier gives the owner a random token that the owner puts in its DNS to show it owns the domain. There are a bunch of different aspects that one can look at independently. One is where the token goes, in the name or contents of the owner's record. I think we agree that putting the token at the owner's host name is a bad idea, but either of these can work, with a1b2c3 being the random token: _a1b2c3.example.com IN ... "whatever" _crudco.example.com IN ... "a1b2c3" If you use a fixed prefix, _crudco in this case, you should register it in the RFC8552 attrleaf registry. Another is what record type to use. I find the arguments against CNAME unpersuasive, basically saying that if you do something dumb, it won't work, which is true, but it's always true. I realize that RFC1034 says not to chain CNAMEs, but we all know that people chain CNAMEs and it works, e.g. www.microsoft.com goes through three CNAMEs and it works fine. If you use a _name in the attrleaf registry or a _random prefix I would think the changes of a CNAME colliding with something else are low, and a verifier presumably controls its own DNS and can keep CNAME chains short. So any of these could work: _a1b2c3.example.com IN TXT "crudco" _a1b2c3.example.com IN CNAME verify.crudco.wtf. _crudco.example.com IN TXT "a1b2c3" _crudco.example.com IN CNAME _a1b2c3.crudco.wtf. As you sort of note in one of the appendices, you can have different tokens in the name and the content if for some reason that is useful. For the length of time the token is valid, there seem to be only two: five minutes for a one-off verification like for ACME, or forever for someone who is doing continuing analysis of something in your domain, typically web analytics. While I can see aesthetic reasons to get rid of expired one-off tokens, I don't see the point of putting an expiration time in them, nor any particular harm in leaving them there if they are at _name and not the main host name. You might also say something about TTLs, e.g., not to have a 12 hour TTL for a token you plan to remove in a few minutes. There are some other minor points. You say to generate 128 random bits, but then to hash them to 256 which I don't understand. (As RFC 4086 sec 6.2 notes, strong random bits often are already hash output.) If 128 bits is enough, use 128 bits, if you need 256, generate 256. Either way I'd do base32 rather than base64 encoding to make the result more robust against helpful software that does you a favor by case folding. Overall, I'd lay out the options, and point out the advantages or disadvantages of each rather than just saying "do this" without a strong basis not to do it the other ways that work fine in practice. R's, John
- [DNSOP] I-D Action: draft-ietf-dnsop-domain-verif… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-v… Shivan Kaul Sahib
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-v… John Levine
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-v… Mark Andrews
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-v… Alex Stuart
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-v… Paul Wouters